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Term rewriting has a significant presence in various areas, not least in automated theorem proving 
where it is used as a proof technique. Many theorem provers employ specialised proof tactics for 
rewriting. This results in an interleaving between deduction and computation (i.e., rewriting) steps. 
If the logic of reasoning supports partial functions, it is necessary that rewriting copes with potentially 
ill-defined terms. In this paper, we provide a basis for integrating rewriting with a deductive proof 
system that deals with well-definedness. The definitions and theorems presented in this paper are the 
theoretical foundations for an extensible rewriting-based prover that has been implemented for the 
set theoretical formalism Event-B. 



1 Introduction 



Term rewriting has an important presence in many areas including abstract data type specifications and 
automated reasoning. In this regard, many automated theorem provers employ rewriting as a proof 
technique where it may interleave with deduction. PVS lITSll and Isabelle/HOL |[T4ll are higher-order 
theorem provers that include specialised tactics for rewriting. 

The interleaving between rewriting steps and deduction steps poses several difficulties. The termi- 
nation of rewriting becomes an issue of paramount importance. Many techniques, such as term order- 
ings HI, have been explored to provide good practical solutions to termination problems. We argue that, 
in the presence of potentially ill-defined terms, rewriting has to be further constrained. 

Ill-defined terms arise in the presence of partial functions. They result from the application of func- 
tions to terms outside their domain. If ill-definedness is a concern, the adopted reasoning framework 
has to cope with it. Different approaches exist to reason in the presence of partial functions. Each of 
these approaches has its own specialised proof calculus. In (12], it is shown that it is possible to rea- 
son about partiality without abandoning the well-understood domain of two-valued predicate logic. In 
that approach, the reasoning is achieved by extending the standard calculus with derived proof rules that 
preserve well-definedness across proofs. We argue that, in order to integrate rewriting as a proof step in 
such a calculus, it is necessary that rewriting preserves well-definedness. 

In this paper, we present a treatment of term rewriting where term well-definedness is an issue. Our 
treatment unifies the notions of well-definedness (WD) and rewriting, and provides a basis to integrate 
rewriting as a proof step within the proof system presented in |[T2l . Central to our contribution is the 
concept of WD-preserving rewriting where rewrite rules preserve well-definedness in the same direction 
in which they are applied. We establish the necessary conditions under which rewriting preserves well- 
definedness. We, finally, show how a rewrite step can be interleaved with deduction steps in a valid 
fashion. 

*This research is carried out as part of DEPLOY (an European Commission FP7 Project Grant 214158). The first author is 
partially supported by the Algerian Ministry of Higher Education (MESRS). 
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Figure 1: A Simple Model for A Door Entry System 



1.1 Practical Setting 

Event-B [3] is a formalism for discrete systems modelling based on Action Systems JSJ. It can be used 
to model and reason about complex systems such as concurrent and reactive systems. The semantics of 
a model developed in Event-B is given by means of its proof obligations. These obligations have to be 
discharged to show consistency of the model with respect to some behavioural semantics. 

Modelling in Event-B is conducted by defining contexts and machines. Contexts describe static 
properties of a model by specifying carrier sets and constants. Machines, as their name suggests, define 
the dynamics of a model by means of variables (state) and events (transitions). Variables are constrained 
by invariants. A machine can be refined by another machine, and can see (import) contexts. Proof 
obligations arise to verify the consistency of a model. For instance, there are proof obligations to establish 
the refinement relationship between two machines, and to establish invariant preservation by the events 
(transitions). The logic used in Event-B is typed set theory built on first-order predicate logic, and 
allows the definition of partial functions. As such, it is necessary that the used proof system handles 
ill-definedness. Indeed, the proof calculus outlined in |[T2l is the one used to reason in Event-B. Figure[T] 
illustrates a simple Event-B model for a door entry system. 
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The Rodin platform [U is an open extensible tool for Event-B based on Eclips^ It offers support 
for specification and proof, and it can be easily extended with other useful tools e.g., there is a plug-in 
for model checking called Pro-B LIOJ . 



1.2 Motivation 

The Rodin platform has a proving infrastructure which is extensible with new proof rules. External 
provers can also be used; Atelier-B [2] provers ML and PP have been incorporated into Rodin. Adding 
new proof rules requires the use of the Java programming language, knowledge of Eclipse as well as 
an understanding of the internal architecture of Rodin. A complication of such approach is that newly 
implemented rules could compromise the soundness of the proven This work has been carried out as 
part of an effort to address this limitation of Rodin from the viewpoint of prover extensibility. This paper 
discusses some theoretical results in the context of rewriting and well-definedness. The ideas presented 
in this paper have resulted in providing proof support for the set theoretical formalism Event-B |j3||. An 
extensible rewriting-based prover lITTl has been implemented and integrated into Rodin. 

Outline. In Section |2] we recall some preliminary concepts of term rewriting systems. Section [3] 
describes the necessary conditions under which rewriting preserves well-definedness. Section [4] shows 
how a WD-preserving rewrite rule can be used in proofs. The application of the previous ideas in the 
context of Event-B ||3l is shown in Section[5] We conclude in Section|6]by stating what we have achieved 
and its impact on the Event-B toolset Q . 



1.3 Related Work 

The interleaving between deduction and rewriting steps has gathered much interest given its importance 
to automated reasoning. In this work, we identify the necessary conditions under which rewriting can 
interleave with deduction in the proof calculus defined in 1 12 |. In other works, this interleaving is studied 
from different perspectives. 

Theorem proving modulo is an approach that removes computational steps from proofs by reasoning 
modulo a congruence on propositions |9|. The advantage of this technique is that it separates compu- 
tation steps (i.e., rewriting) from deduction steps in a clean way. In [9], a proof-theoretic account of 
the combination between computations and deductions is presented in the shape of a sequent calculus 
modulo. The congruence on propositions, on the other hand, is defined by rewrite rules and equational 
axioms. 

The combination of rewriting and deduction makes properties of rewrite systems of practical interest. 
Termination and confluence properties of term rewriting systems are important, and have been studied 
extensively [5, 8|. When rewriting is interleaved with deduction, it is critical that computation steps 
terminate. Term orderings, in which any term that is syntactically simpler than another is smaller than 
the other, provides a practical technique to assess the termination of rewrite systems. 

In our work, we aim to unify the notions of well-definedness and rewrite systems. Our objective 
is to characterise the interaction between deduction and rewriting when well-definedness is taken into 
consideration. This is achieved by identifying the necessary conditions under which computations can 
interleave with the deduction steps (i.e., proof rules) in |[T2]| . 
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2 Preliminaries 

In this section, we lay the groundwork for the rest of the paper. We briefly introduce the proof calculus 
defined in |[T2l . We also shed some light on basic concepts of term rewriting systems. For the rest of 
this paper, we use the language signature £ defined by a set V of variable symbols, a set F of function 
symbols and a set P of predicate symbols. In the next two definitions, we introduce the syntax of the 
first-order predicate calculus with equality that will be used in the subsequent sections. 

Definition 2.1 (Term) T^, the set ofL-terms is inductively defined by: 

• each variable ofV is a term; 

• if f € F, arity{f) = n and each of e en is a term, then /(^i, ...,e„) is a term. 

Definition 2.2 (Formula) Fj;, the set ofL-formulas is inductively defined by: 

• _L is a formula; 

• p{t\, ■■■,tn) is aformula provided p £ P, arity{p) = n and each oft\, ...,t„ is a term; 

• ti =t2 is aformula provided t[ and t2 are terms; 

• (p f\^f is aformula if (p and Y are formulas; 

• is aformula if (p is aformula; 

• \/x.(p is aformula ifx G V and (p is aformula. 

Note that other logical operators (e.g., 3) can be defined (as in (TT]) by means of the operators in the 
previous definition. For the rest of the paper, we assume a syntactic operator Yar : (F^ U T^,) — F{V) 
such that 'Var{t) is the set of variables occurring free in t. 



2.1 The Well-Definedness Operator 

The well-definedness operator ' & encodes what is meant by well-definedness. & : {Fz U Tz) — )• Fj: is a 
syntactic operator that maps terms and formulae to their well-definedness predicates. We interpret the 
formula ^^{F) as being valid if and only if F is well-defined. For a detailed treatment of the & operator, 
we refer to |4l. 

The well-definedness (WD) of terms is defined recursively as follows: 

^(x) = T ifxeV (1) 

n 

&{f{ti,...,tn)) = A ^(^') A Q{,...,„ . (2) 
(=1 

where Cf^ effectively defines the domain of the function /. For this study, we assume that predicate 
symbols are total. As a result, ill-definedness can only be introduced by terms. Therefore, we have the 
following: 

n 

&{p{tu:;tn)) = /\^iti) ifpeP (3) 
i=\ 

&{tl=tl) = ^(fl)A^(f2). (4) 

For the well-definedness of other formulae, we use the following expansions lH : 

^(^) = T (5) 

S){^(p) = ^{(p) (6) 

^{q)AY) = (^(<p) A^(va)) V(^((p) A^(p)V(^(i//-) A^V^) (7) 

^(Vx-(p) = (Vx-^((p))V(3x-^((p)A^(p) (8) 
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The well-definedness of formulae built using derived logical operators can be straightforwardly de- 
rived, see |[T3l . An important property of well-definedness conditions is that they are themselves well- 
defined |fI3; i.e., 



2.2 The WD-preserving Sequent Calculus 

We assume the signature £ is equipped with a proof theory in the shape of a WD-preserving first-order 
sequent calculus similar to the one appearing in 1 12|. A judgement in the aforementioned calculus is 
called a well-defined sequent, and is of the form H G defined as follows: 

Hh^G = &iH),&{G),H\- G . 

That is, the well-definedness of H and G is assumed when proving H\- G. Generally speaking, when 
proving a sequent H\- G, the approach suggests proving its validity as well as its well-definedness: 



WD^ : h G) 



Validity • //h^G 



where 2i{H h G) is defined as S>(y^ -H^G) such that are the free variables of H and G. 

A proof rule is said to preserve well-definedness (WD) iff its consequent and antecedents only contain 
well-defined sequents (i.e., sequents). Figure |2] introduces the theory FoPCe^ (a collection of WD- 
preserving inference rules) as developed in |[T2l . Note that we use x\H to denote the non-freeness 
condition of x in H. We also use [x := E]P to denote the syntactic replacement of all free occurrences 
of the variable x in P by the term E. The boxed sequents in Figure |2] correspond to the additional 
sequents that has to be discharged compared to the classical version of the rule in order to preserve well- 
definedness. 
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Figure 2: Inference Rules of FoPCe, 



Proof rules for derived logical operator (i.e., V, <^ and 3) can be derived directly from the rules 
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of FoPCe^,. The following two proof rules can be derived with a detour through h sequents (classical 
reasoning): 

and 

hyp 



P R 

In Section [3] and [4j we show how rewriting can be interleaved with the inference rules of FoPCe^. 
For the rest of the paper, we assume that the reader is familial- with the basic notions of rewriting as 
found, for instance, in 15). We define the domain and range of a substitution a (both finite), denoted 
&om{o) and Man{o) respectively, as follows: 

^om{o) = {x G V I o{x) / x} , 

^an{o) = {t eTY_\3x-xe^^om{o)M = o{x)} . 

Note that the application of a substitution a to a term I simultaneously replaces occurrences of variables 
by their respective a-images. For the rest of this work, we restrict substitutions according to the following 
definition: 

Definition 2.3 (Non-conflicting Substitution) A substitution o is said to be non-conflicting iff 

[ [j 'rar{t)]n^om{o) = . 

teMan{a) 

Intuitively, a non-conflicting substitution can be simulated by a syntactic replacement as follows: 

(j{l) = [xi := a{xi)]...[x„:= a{x„)]l . 

such that the free variables in /, and Xj\a{xj) for all / and j where I <i <n and I < j <n. 

In this case, we have the following important property: 

&{a{l)) ^ /\ &{e) A a(^(/)) , 

which can proved by induction on the structure of terms. 

One of the main concepts of term rewriting is that of positions in terms and formulae where e denotes 
the root position. Positions within a formula (or a term) describe paths to its subterms and subformulae. 
When p is a position in a formula F, we write F|p for the term or formula at position p in formula F. We 
write F [s]p for the formula that results from replacing F\p with * in F. 



3 WD-Preserving Rewriting 

In this section, we show how rewriting preserves equality of terms, validity of formulae and well- 
definedness of both terms and formulae. The next definitions describe what is meant by a conditional 
rewrite rule. 

Definition 3.1 (Conditional Identity) A ^.-conditional identity (simply conditional identity) is a triplet 
{l,c, r) GTj^xFj^x Ty_. In this case, I is called the left hand side, r the right hand side, and c the condition 
of the identity. 
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Definition 3.2 (Valid Conditional Identity) A conditional identity {l,c,r) is valid iff the following se- 
quent is provable 



A conditional identity can be turned into a rewrite rule if it satisfies the syntactic restrictions presented 
in the following definition: 

Definition 3.3 (Conditional Term Rewrite Rule) A conditional term rewrite rule is a conditional iden- 
tity {l,c,r) such that: 

1. I is not a variable, 

2. yar{c)<zrar{l), 

3. -Tarir) C rar{l). 

In this case, we use the notation I r instead of {l,c, r). 

In the derivations of Figure [4] and Figure [3j we single out the necessary conditions under which 
rewriting can be performed. Figure [3] concerns the rewriting of an hypothesis that has an occurrence of a 
rewrite rule left hand side /. Note the presence of the condition cj(c). We assume that the free variables 
of a(c) also occur free in (p[a{l)]p; this ensures that a denotes the same substitution in both a(c) and 
(p[a{l)]p. Figure [4j on the other hand, concerns the rewriting of a goal which has an occurrence of a 
rewrite rule left hand side /. 
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Figure 3: Hypothesis Rewriting 
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Figure 4: Goal Rewriting 



The boxed sequents correspond to the conditions under which a formula (an hypothesis or the goal) 
can be rewritten. In summary, a conditional term rewrite rule / A r can be applied to a formula (p[a{l)]p 
(the goal or one of the hypothesises) iff the following sequents are provable: 

aic),^{(p[a{l)]p) ^(<p[a(r)]p) (9) 

a(c) (p[a{l)]p^(p[a{r)]p. (10) 



In the rest of this section, we examine the sufficient restrictions on conditional term rewrite rules to 
ensure that sequents 10 and|9]are provable for a given formula (p, a position p and a substitution a. 
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Definition 3.4 A conditional rewrite rule I r is said to be WD-preserving iff the following sequent is 
provable: 

&{l),c ^(r) . 

We turn our attention to rewrite rule application. Consider applying rule / r to formulae P[s\p 
where is a term as is P\p. The left hand side I is matched against s by finding a substitution a such that 
o{l) = s (one-way matching). Provided (7(c) holds, P[s\p can be rewritten to P[a{r)]p. 

The following theorem states that the application of a valid and well-definedness preserving condi- 
tional term rewrite rule preserves equality ( [TT] ) and well-definedness ( 12 1 of terms. 

Theorem 3.5 Let I r be a conditional term rewrite rule, t be a term, p be a position within t, and o 
be a non-conflicting substitution such that 

&om{o) C yar{l) . 

Ifl-^ris valid and WD-preserving, then the following two sequents are provable: 

o{c) t[a{l)]p = t[a{r)]p, (11) 

&{t[a{l)]p),a{c) n[o{r)]p). (12) 



Proof. The following lemma is needed to prove Theorem |3.5[ 

Lemma 3.6 Let I r be a conditional term rewrite rule, and o be a non-conflicting substitution such 
that 

&om{o) C rar(/) . 

1. Ifl-^ris valid, then the following sequent is provable: 

a(c) a{l) = a{r) . 

2. Ifl-^ris WD-preserving, then the following sequents are provable: 

&{a{l))Aa{c) ^(a(r)). 

Proof. We observe that the sequent 

• [(^(/) A ^(c) A &{r) Ac)^l = r] (13) 
are the free variables of /) is provable if the sequent 

c l = r 

is also provable. We also observe that the sequent 

^(V^-[(^(/)A^(c)A^(r)Ac)^Z = r]) (14) 

is provable. Since the substitution a can be simulated as a sequence of syntactic replacements, instan- 
tiating in ( 13 1 with the appropriate terms in Man{a) is the main idea of the proof of the first claim. 
The proof of the second claim follows a similar approach. 
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1. Proof of sequent (fTTll: We proceed by induction on the structure of the term t. 



(a) Base Case: ? is a variable, t =x.\n this case \\A\ becomes 

a(c) x[o{l)]e=x[o{r)]e , 
since variables have only one position (£ the root position). This simplifies to 

a(c) o{l) = o{r) , 

which is a provable sequent according to Lemma [33] 

(b) Inductive Case: t is a function, t = /(fi, We distinguish the cases p = e and p = iq 
for 1 < / < « and some position q. 

i. Case p = e: this case is similar to the base case. 

ii. Case p = iq: we assume the following inductive hypothesis (in this case a provable 
sequent) 

a(c) ti[0{l)]c, = ti[0{r)]q , 

and we show that 

fitu--,ti[(j{l)]^,...,t„)^f{ti,...,ti[a{r)]y,...,t„) , 
is a provable sequent where iq = p. 



2. Proof of sequent ( 12 1: We proceed by induction on the structure of the term t. 



(a) Base Case: f is a variable, t =x.ln this case ( [T2| ) becomes 

^(x[a(/)]e),a(c) ^(x[a(r)]e), 
since variables only have the root position e. This simplifies to 

^(a(/)),a(c) ^(a(r)), 

which is a provable sequent according to Lemma [33] 

(b) Inductive Case: t is a function, t = ...,f„). We distinguish the cases p = e and p = iq 
for 1 < / < « and some position q. 

i. Case p = e: this case is similar to the base case. 

ii. Case p = iq: We assume the following inductive hypothesis 

^(f,-[c7(/)],),a(c) &{ti[a{r)],) , 

and we show that 

&{f{ti,...,t,[a{l)]^,...,t„)),a{c) ^(/(fi,...,f,[a(r)],/,...,f„)) , 
is a provable sequent where iq = p. 



The following theorem asserts that Definition 3.2 and 3.4 are adequate for a conditional term rewrite 
rule to preserve validity and well-definedness when applied to a formula. 
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Theorem 3.7 Let I ^ rbe a conditional term rewrite rule, f be a formula, p be a position within f such 
that f\p is a term, and O be a non-conflicting substitution such that 

&om{o) C 'f'ar{l) . 

Ifl-^ris valid and WD-preserving, then the following two sequents are provable: 

a{c) f[a{l)]p^f[a{r)]p, (15) 

^{f[a{l)]p),G{c) ^ ^{mr)]p). (16) 

Proof. 

1. Proof of sequent ( [T5] ): We proceed by induction on the structure of the formula /. We show a 
sketch of the proof, and only cover three interesting cases. 

(a) Base Case: / is of the shape r{t\, ...,tn) such that r G P and t\,...,tn are terms. In this case, 
position p can only be of the form iq for some position q and \<i<n since the root position 
is of a formula. Therefore, (fTSl) becomes 



(J(c) hj, r(fi,...,f„)[(j(0],,^r(fi,...,f„)[a(r)]p , 

where p = iq for some position q and \ <i <n. This can be rewritten to 

(7(c) hg, r(fi,...,f;[(j(0]^,...,f„)^r(fi,...,f,-[cT(r)]^,...,f„) . 

This amounts to proving the following two sequents: 

(7(c),r(fi,...,f,-[(j(/)]^,...,f„) r{ti,...,ti[o{r)]^,...,tn) , 
a(c),r{ti,...,ti[a{r)]y,...,t„) r{ti,...,ti[a{%,...,t„) . 

Using Theorem [331 both sequents can be shown to be provable. 



(b) Inductive Case: / is of the shape cp Ay such that (p and y are formulae. In this case, ( 15 1 
becomes 

(J(c) ((pAv/)[(T(/)]p^((pAv/)[(T(r)],, . (17) 

Position p can only be of the form p = 1^ or p = 2^ for some position q. We distinguish the 
two cases: 

i. p = Iq: In this case, sequent ([TT]) becomes 



a(c) {(p[cT{l)i, A V/) ^ (<P[cT(r)], A V/) . (18) 
To proceed, we assume the following inductive hypothesis 

C7(c) {(p[a{l)],)^{(p[a{r)],), (19) 



and we show that sequent ( |T8[ ) is provable, 
ii. p = 2q: analogous to the previous case. 



(c) Inductive Case: / is of the shape Vjc • (p such that (p is a formula. In this case, ( 15 I becomes 

(J(c) (Vx • (p) [a{l)]p ^ (Vx • (p) [(J(r)]p . (20) 
Position p can only be of the form p = Iq for some position q. Sequent ( [20) ) simplifies to 

cj(c) (Vx.(p[(j(0],)^(Vx.(p[(j(r)],) . (21) 
To proceed, we assume that the following sequent is provable: 

a{c) {(p[a{l)],)^{(p[a{r)],), (22) 



and we show that sequent (21 ) is provable. 
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2. Proof of sequent (fT6]l: is similar to the proof of sequent (fT5]l. We only show one inductive case. 



(a) Inductive Case: / is of the shape (p t\\\r such that (p and \\r are formulae. In this case, ( 16l 
becomes 

^{{<phxif)[o[l)]p),a{c) f^(((pAv/)[(T(r)]p). (23) 

Position p can only be of the form p = \q or p = 2qior some position q. We distinguish the 
two cases: 

i. p = \q: In this case, sequent ([23]) becomes 



^(((p[a(0],Av/)),(T(c) ^(((p[(j(r)],Av/)). (24) 
To proceed, we assume that the following sequent is provable: 

9{{(p[a(l)],))Mc) ^r, ^(((p[cT(r)],)) , (25) 

and we show that sequent ( [241 ) provable, 
ii. p = 2q: analogous to the previous case. 

Summary. In this section, we have defined the criteria for the validity and well-definedness preserva- 
tion of term rewrite rules when rewriting interleaves with the rule of the proof system developed in [il2ll . 
In the next section, we show how rewriting can be systematically used as a proof step. 



4 Rewriting as a Proof Step 

Rewriting can be used in proofs alongside the WD-preserving sequent calculus. Conditional term rewrite 
rules which have the same left hand side are grouped together. For this purpose, we use a more convenient 
notation. Given a valid and WD-preserving (grouped) conditional term rewrite rule 

/ — )• c\ :ri 



we can add the following proof step to our calculus 



H,P[a{l)]p ^(a(ci)V...Va(c„)) 

H,P[o{l)]p a(ci)V...Va(c„) 

//,a(ci),P[a(ri)]p R ... H,(j{c„),P[oirn)]p R 

H,P[(j{l)]p R 



hyprj (26) 



under the proviso that all free variables of a(r) (for all / such that !</<«) occur free in P[o{l)\p. This 
proof step allows the hypothesis P[o{l)]p to be rewritten to several cases according to the rewrite rule. 
Under the proviso that all free variables of cj(r,) (for all / such that !</<«) occur free in R[o{l)\p, the 
following proof step can be added for goal rewriting 



H i^(a(ci)V...Va(c„)) 
H a(ci)V...Va(c„) 

//,a(ci) R[o{ri)]p ... H,a{cn) /?[g(r„)]; 
H R[o{l)]p 



goaL . (27) 



Proof steps (26 ) and (27 ) can be derived using the cut rule, followed by a disjunction elimination after 



which rewriting can be applied. We now examine some special cases that can be used to facilitate proofs. 
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4.1 Unconditional Term Rewrite Rules 



A term rewrite rule / — > r is called unconditional iff c = T. In this case, steps (26 1 and (21) can be 
simplified as follows: 



H,P[a{r)]p R 
H,P[a{l)]p R 

H R[a{r)\p 



H R[a{l)]p ' * 

4.2 Case-complete Grouped Term Rewrite Rules 

A grouped term rewrite rule 

/ — )• c\ :ri 

is called case-complete iff the following sequent is provable: 

hg, ci V...Vc„ . 
In this case, steps (|26]) and ([27]) can be simplified as follows: 



uhyp (28) 



ugoah ■ (29) 



H,P[a{l)]p ^(a(ci)V...Va(c„)) 
H,o{cy),P[o{ri)]p j? ... //,a(c„),P[cT(r„)]p /? 

//,P[a(/)]p /? 



// ^(a(ci)V...VcT(c„)) 

H,o{ci) /?[a(ri)]p ... //,a(c„) /?[a(r„)]p 



■ c/ij;?^ (30) 



cgoaL ■ (31) 



4.3 Top-level Occurrence 



Definition 4.1 (Top-Level Occurrence) Let t be a term, f be a formula, p be a position within f. We 
say that t has a top-level occurrence in f if f is either of the form 

1. q{ti, ...,t„)[t]p where q €z P and ti,..., t„ are terms, or; 

2. (ti = 12) [t]p where t\ and t2 are terms. 

Ift has a top-level occurrence in f, then it also has a top-level occurrence in -■/. 

We have the following interesting property: 

Proposition 4.2 If the term t has a top-level occurrence in formula f, then the following holds 
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If we further constrain grouped conditional term rewrite rules such that we have 



1=1 



Proposition 4.2 can be used to simplify proofs. Let P[o{l)]p be a formula such that o{l) occurs at 
the top-level. Since the grouped term rewrite rule is valid and WD-preserving, and using the previous 
proposition, we have the following 



and, consequently: 



&{P[o{l)]p) &{a{l)) 



!=1 



under the proviso that all free variables of C7(c;) (for all / such that 1 < / < w) occur free in P[o{l)\p. In 
this particular case, the sequents 

H,P[a{l)]p ^(a(ci)V...Va(c„)) , 
H,P ^(a(ci)V...Va(c„)) 



in ( 26 1 and ( 27 1 respectively, are guaranteed to be provable. As such, they could be removed from the 
list of sub-goals that the modeller sees. 



5 Applications to Event-B 

As mentioned in |l.l[ Event-B modelling is carried out using two constructs: contexts and machines. A 
third construct, called theory, has been implemented to bring a degree of meta-reasoning to the Rodin 
platform fT]. The theory construct has the following shape: 



Theory theory _name 
Sets 5i,52,... 
Metavariables v i , V2 , . . . 
Rewrite Rules ri , r2 , . . . 
End 



Figure 5: The Theory Construct 

1 . Sets. A theory can define a number of given sets which define the types on which the theory is 
parametrised. 
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2. Metavariables. A theory can define a number of metavariables that can be used to specify rewrite 
rules. Each metavariable is associated with a type; this can be constructed using the given sets of 
the theory as well as the built-in types (e.g., Z) using type constructors. For example, if a given set 
S is defined within a theory, then P (Z) x S can be used as a type for a metavariable. 

3. Rewrite Rules. Rewrite rules are one-directional equations that can be used to rewrite formulae 
to equivalent forms. As part of specifying a rewrite rule, the theory developer decides whether 
the rule can be applied automatically without user intervention or interactively following a user 
request. 

The theory construct can be extended to enable the specification of inference rules. In brief, it facilitates 
the following: 

• specification of proof rules within the same platform providing a degree of meta-reasoning within 
Rodin, 

• validation of specified proof rules to ensure that the soundness of the prover is not compromised. 



The validation of rewrite rules is achieved by means of proof obligations. Definition |3 .2| and |3 .4| defined 
the criteria for validity and WD-preservation of rewrite rules. 

The theory construct has been developed as part of a rule-based prover ifTTTl which, in brief, offers 
the following capabilities: 

1. Users can develop theories in the same way as contexts and machines. At the moment, theory 
development includes specification of rewrite rules including definition of sets and metavariables. 
Metavariables must be defined with their types which can be constructed from the theory sets and 
any built-in types (e.g., Z) using type constructors (e.g., P). 

2. Users can validate rewrite rules through generated proof obligations. The proof obligations gener- 
ated for rules are to establish soundness, well-definedness preservation and case-completeness. 

3. Users can deploy theories to a specific directory where they become available to the interactive 
and automatic provers of Rodin. Theory deployment adds soundness information to all deployed 
rules. 

4. Users can use rewrite rules defined within the deployed theories as a part of the proving activity. 
A pattern matching mechanism is implemented to calculate applicable rewrite rules to any given 
sequent. 

Examples. The following two rules are valid and WD-preserving: 

card{i..j) j — i+l (32) 

card{i..j) — ^ , (33) 

where / and j are integers, i..j denotes an integer range, and card denotes the cardinality operator. The 
following rules are not WD-preserving: 

T a 



a 



(34) 



{f<^{z^y})ix) ^ fix), (35) 
where a is an integer, / a relation, x,y, and z are of arbitrary types. Moreover, denotes relational 



override. Rule 35 is not WD-preserving since there could be a case where / ^ {z i— 3^} is a function but 
/ is not. For instance, consider / = {1 H> 2, 1 H> 3,2 i-)- 4}, then {1 1-)- 5} = {1 5,2 4}. In this 
case, (/^ {1 1-> 5})(1) is well-defined, but /(I) is not. 
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6 Future Work & Conclusions 

In this paper, we provided a treatment of well-definedness and rewriting. We singled out the necessary 
conditions under which rewriting preserves well-definedness. These conditions are necessary for the 
valid interleaving between rewriting steps and deduction in the WD-preserving proof calculus presented 
in fl2|. In our study, we used the language signature £ whereby terms are only defined using other terms. 
In general, however, terms can also be constructed using formulae e.g., set comprehension {x-P}. This 
changes the well-definedness conditions of terms, and it is interesting to establish whether the conditions 
outlined in Definition 13.21 and |3 . 41 are indeed sufficient. 

We have presented a study unifying the notions of term rewriting and well-definedness in the context 
of the interleaving between deduction and rewriting. The results of this paper provided the theoretical 
foundations of an extensible rewriting-based prover (also called rule-based prover) that has been imple- 
mented for Event-B. 
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